|
To address the unexpected next-hop behavior, the hub can be forced to rewrite the next-hops for reflected routes using 'set next-hop-self-rr enable'. This changes the next-hop to the hub's IP, ensuring hub-centric routing but disabling shortcut optimization (traffic always traverses the hub).
The set next-hop-self-rr enable command is a BGP neighbor/group option that instructs a route reflector to set its own IP address as the next-hop when reflecting iBGP routes to clients. Unlike next-hop-self (which only affects local or eBGP routes), this targets reflected routes in RR setups. In ADVPN/SD-WAN, enabling it ensures spokes route through the hub, useful for centralized control, compliance, or when shortcuts are undesirable (e.g., due to security concerns). However, it increases hub load and latency.
Configuration Steps to Enable It on the hub:
config router bgp
config neighbor
edit "spoke-ip"
set next-hop-self-rr enable <-- Rewrite next-hop for reflected routes.
next
end
end
Or for groups:
config router bgp
config neighbor-group
edit "SPOKES"
set next-hop-self-rr enable
set route-reflector-client enable
next
end
end
Verification:
Clear sessions: execute router clear bgp ip soft.
Verify with get router info bgp neighbors received-routes, next-hops should now be the hub's IP.
Related article:
Technical Tip: Understanding Unexpected Next-Hop Behavior in FortiGate ADVPN with BGP
|
